b"Office of Inspector General\n     Audit Report\n\n\nUSMMA SECURITY CONTROLS WERE NOT\n  SUFFICIENT TO PROTECT SENSITIVE\n DATA FROM UNAUTHORIZED ACCESS\n\n         Maritime Administration\n\n       Report Number: FI-2012-138\n       Date Issued: May 30, 2012\n\x0c                      Memorandum\n           U.S. Department of\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: USMMA Security Controls Were Not                                           Date:    May 30, 2012\n           Sufficient to Protect Sensitive Data from\n           Unauthorized Access\n           Maritime Administration\n           Report No. FI-2012-138\n\n  From:    Louis C. King                                                                   Reply to\n                                                                                           Attn. of:   JA\xe2\x80\x9320\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n    To:    Maritime Administrator\n\n           The United States Merchant Marine Academy (USMMA), located in Kings Point,\n           New York, is the Federal Service Academy\xe2\x80\x94operated by the Department of\n           Transportation\xe2\x80\x99s (DOT) Maritime Administration\xe2\x80\x94responsible for training\n           shipboard officers for the U.S. Merchant Marine. It is a fully accredited, degree-\n           granting institution, and as an institute of higher education, USMMA possesses\n           sensitive information, including current and former students\xe2\x80\x99 grades and\n           personally identifiable information (PII), such as social security numbers and\n           passport numbers. The Academy uses a local area network (LAN) and Website for\n           several purposes, including the acceptance of student applications and\n           maintenance of student grade records, both of which include PII.\n\n           We initiated this audit in response to weaknesses identified at USMMA during the\n           fiscal year 2010 information security audit required by the Federal Information\n           Security Management Act of 2002 (FISMA). Our objectives were to:\n           (1) determine whether USMMA\xe2\x80\x99s LAN and Website are secure from compromise;\n           and (2) identify security weaknesses in the Academy\xe2\x80\x99s LAN, Website and\n           databases.\n\n           To conduct our work, we performed an external penetration test1 to determine\n           whether unauthorized access to USMMA\xe2\x80\x99s Website and network was possible.\n           We also visited USMMA to perform onsite vulnerability assessments that would\n\n           1\n               A penetration test is a method of computer security evaluation that involves the simulation of a malicious attack on\n               information systems. The objective of the test is to determine whether external and/or internal parties can acquire\n               unauthorized access to the systems.\n\x0c                                                                                                                      2\n\n\nidentify control weaknesses. Finally, we used a statistical sample of USMMA\xe2\x80\x99s\nuser systems to evaluate compliance with required configuration baselines. We\nconducted this audit between February 2011 and March 2012 in accordance with\ngenerally accepted Government auditing standards.\n\nRESULTS IN BRIEF\n\nUSMMA\xe2\x80\x99s security controls were not sufficient to protect its Website and LAN\nfrom compromise, as USMMA had not implemented security controls required by\nNational Institute of Standards and Technology\xe2\x80\x99s (NIST) guidance and DOT\npolicy. In March 2011, we successfully penetrated USMMA\xe2\x80\x99s network security\nthrough a misconfigured application on its Web server, and due to excessive\naccount privileges and poor access controls on the LAN, were able to gain full\naccess to the Academy\xe2\x80\x99s LAN and sensitive information. Our test demonstrated\nthat all USMMA data, including PII, is at high risk of exposure to hackers. As a\nresult of our work, USMMA corrected the vulnerability in its Web server that\nallowed our remote penetration during the audit,2 but did not correct the other\nweaknesses we found on the LAN.\n\nAdditional information security weaknesses exist in USMMA\xe2\x80\x99s LAN, Website\nand databases because the Academy has not implemented information security\nprograms for protection of information and information systems, as required by\nFISMA and DOT policies. For example, poor access controls over the Academy\xe2\x80\x99s\ndatabases make its PII vulnerable to unauthorized access. Other security\nmanagement weaknesses\xe2\x80\x94including missing software update patches;3 ineffective\nsecurity management tools; excessive account privileges; unnecessary accounts;\ninsecure system configurations; ineffective contractor oversight; and the use of an\ninternet connection that did not comply with the Trusted Internet Connection\n(TIC) requirement4\xe2\x80\x94put its entire system at risk for compromise. USMMA\xe2\x80\x99s\nmanagement attributed the identified security weaknesses to insufficient resources\nand contractors\xe2\x80\x99 lack of knowledge about Federal information security\nrequirements. As a result, the USMMA runs the risk that intruders will gain\nunauthorized access to the large amount of sensitive information stored in its\nsystem without detection or response from USSMA.\n\nWe are making recommendations to assist USMMA in the establishment of an\neffective information security program.\n\n\n2\n    Immediately after we succeeded in the penetration of the network, we notified appropriate officials to address the\n    exploited vulnerability.\n3\n    A patch is software designed to update or repair a problem, such as a security vulnerability, in a computer program.\n4\n    Office of Management and Budget\xe2\x80\x99s (OMB) M-08-05, \xe2\x80\x9cImplementation of Trusted Internet Connections (TIC),\xe2\x80\x9d\n    November 20, 2007, requires agencies to consolidate external network connections to improve security and better\n    monitor threats across Federal networks.\n\x0c                                                                                3\n\n\n\n\nBACKGROUND\n\nBecause it is an institute of higher education that is also a Federal Executive\nBranch entity, USMMA faces special challenges in compliance with its regulatory\ninformation security requirements. It must follow all Federal and DOT\ninformation security policies, per FISMA, as well as the laws and regulations that\ngovern academic records and performance. To meet its missions, USMMA must\ncollect sensitive personal information, including social security numbers, medical\nhistories, family information, and student academic histories from over 1050\ncurrent midshipmen,5 80 faculty, and support staff, as well as alumni. This large\namount of sensitive information results in a significant responsibility for USMMA\nwith regards to the information\xe2\x80\x99s security.\n\nThe Academy relies on its information systems to handle applications, provide\nclass room services, maintain midshipmen\xe2\x80\x99s records, and provide administrative\nsupport. It uses a single network to both support its academic mission and handle\nadministrative tasks. The development, operation, and security of all of\nUSMMA\xe2\x80\x99s information systems are provided under a single services contract. The\ncontractor provides all information technology (IT) services to the Academy under\nthe direction of its Chief Information Officer (CIO). The contractor also provides\nIT support to the midshipmen on campus, including the issuance and maintenance\nof student laptops. The midshipmen take these laptops with them when they serve\nfor required periods at sea, and the Academy must continue to provide IT support\nduring these periods.\n\nOIG GAINED REMOTE ACCESS TO USMMA\xe2\x80\x99S WEBSITE,\nNETWORK, AND SENSITIVE DATA\n\nWe gained total access to USMMA\xe2\x80\x99s systems during the March 2011 external\npenetration test we conducted from DOT\xe2\x80\x99s headquarters in Washington, DC. A\nhigh-severity vulnerability in USMMA\xe2\x80\x99s public Website left the Academy\xe2\x80\x99s\nnetwork completely open to compromise and allowed us to gain access to the\nAcademy\xe2\x80\x99s Website, network, and data. A high-severity vulnerability is a\nweakness that can be used to remotely gain control of a system. Other system\nweaknesses aided our intrusion, including USMMA\xe2\x80\x99s posting of its password\npolicy on its public Website, weaknesses in the Academy\xe2\x80\x99s system settings and\nuse of administrative accounts, and poor incident detection. Our test demonstrated\nthat all USMMA data, including PII, was at high risk of exposure to hackers.\n\n\n\n5\n    As of its Fall 2011 enrollment.\n\x0c                                                                                                                    4\n\n\nWe requested that USMMA provide us with all data (e.g. computer logs) related to\nour intrusion to determine whether hackers had successfully compromised the\nsystem prior to our test. However, the system administrator had deleted the Web\nserver traffic history and was unable to fully recover the data. The partially\nreconstituted files were not useful for analysis, so we were unable to make this\ndetermination. The deletion of the history files was contrary to the Academy\xe2\x80\x99s\nSystem Security Plan for the LAN, which states that all logs are to be retained for\nat least one year. As a result, it is unknown whether the flaw in the web server\nsoftware had been previously exploited and if so, what data had been accessed.\n\nThe weaknesses that we exploited were present in USMMA\xe2\x80\x99s system because the\nAcademy has not followed NIST\xe2\x80\x99s guidance6 and DOT\xe2\x80\x99s policy7 for protecting\ninformation systems. NIST\xe2\x80\x99s Special Publication (SP) 800-44 Revision 2 provides\nguidelines for securing public Web servers\xe2\x80\x94security that would have prevented\nexploitation of the vulnerability that allowed our access to the network. NIST and\nDOT also require implementation of standard security controls\xe2\x80\x94which the\nAcademy has not adopted\xe2\x80\x94that include minimum acceptable requirements for\nconfiguration management,8 account management,9 incident detection and\nresponse, and audit log retention. Furthermore, USMMA does not actively\nmonitor the tools that detect possible intrusions such as the one we conducted, and\ninstead reviews the information that the tools provide only after an intrusion is\nevident.\n\nThe Academy has corrected the high-severity vulnerability in its Website that we\nused to compromise the Web server. However, it has not corrected the other\nweaknesses we exploited to gain full network access. These weaknesses and those\nwe detected in our on-site vulnerability assessment are discussed below. As a\nresult of these ongoing problems, USMMA remains vulnerable to the loss of PII\nand would not be prepared to detect or respond to another compromise of its\nsystem.\n\n\n\n\n6\n    NIST SP 800-53, revision 3, Recommended Security Controls for Federal Information Systems and Organizations,\n    August 2009\n7\n    DOT Departmental Cybersecurity Compendium, June 14, 2011\n8\n    A process that ensures that system owners use approved security control baselines for all software. The baselines\n    prescribe the ideal software settings to attain the required degree of security.\n9\n    A process that creates, modifies and terminates network accounts, including user accounts. System owners use these\n    accounts to grant and control user access.\n\x0c                                                                                 5\n\n\nADDITIONAL SECURITY WEAKNESSES MAKE USMMA\xe2\x80\x99s\nNETWORK VULNERABLE\n\nOur May 2011 on-site vulnerability assessment revealed many security control\nweaknesses in USMMA\xe2\x80\x99s system. Database security weaknesses make PII\nvulnerable to unauthorized access. Furthermore, missing software updates,\nineffective security management tools, poor account management, weaknesses in\nthe Academy\xe2\x80\x99s security configuration management, the use of an unapproved\ninternet connection, and inadequate management participation in security and\ncontractor oversight put the Academy\xe2\x80\x99s entire system at risk for compromise.\n\nWeaknesses in USMMA\xe2\x80\x99s Database Security Make PII Vulnerable\n\nUSMMA\xe2\x80\x99s database management systems had configuration and account\nmanagement vulnerabilities that jeopardize system security. For example, use of\nmidshipmen and other users\xe2\x80\x99 PII in application development and testing combined\nwith weak passwords allowed access to PII, including social security numbers,\npassport numbers, and password reset questions. Furthermore, all nine database\nsystems we discovered during our network inventory had high severity\nvulnerabilities that can allow unauthorized access to them and to the server they\nrun on. For example, default settings, which provide access to sensitive data and\nprivileged administrator commands, are accessible to users who do not need\naccess to them to perform their work.\n\nThe Privacy Act10 requires appropriate administrative and technical safeguards to\nensure the security and confidentiality of records and to protect against any\nanticipated threats or hazards to their security or integrity which could result in\nsubstantial harm, embarrassment, inconvenience, or unfairness to any individual\non whom information is maintained. DOT\xe2\x80\x99s Departmental Cybersecurity\nCompendium requires each System Owner\xe2\x80\x94the official responsible for the\ndevelopment and operation of a system\xe2\x80\x94to implement a process for privileged\naccount management, and institute least-privilege access. Least privilege means\nthat a user is assigned the minimum rights they need to perform their duties.\nBecause USMMA management gave software developers and database\nadministrators complete control of the Academy\xe2\x80\x99s systems and did not conduct\nsecurity assessments, they were not aware that developers and administrators had\nnot applied the required security controls when they configured the databases.\nConsequently, PII was easily available to anyone with access to USMMA\xe2\x80\x99s\nnetwork. Furthermore, access to the password reset information allows a hacker to\nreset another user\xe2\x80\x99s password and log on to a system as that user. This\nunauthorized login would allow the hacker to view the user\xe2\x80\x99s email, connect to\n\n\n10\n     5 U.S.C. \xc2\xa7 552(e)(10)\n\x0c                                                                                                             6\n\n\nother systems as the user, and access any sensitive data available to the user\xe2\x80\x94all\nwithout an audit trail that would lead back to the hacker.\n\nThe Academy Does Not Properly Update Its Software Applications\xe2\x80\x99\nSecurity Patches\n\nUSMMA did not ensure that applications installed on servers and user systems\nwere fully patched. USMMA\xe2\x80\x99s system for automatic patch deployment was\nmostly effective in patching operating system11 vulnerabilities, but did not\nproperly remediate installed applications. During our vulnerability assessment, we\nfound 250 missing patches for high-severity vulnerabilities across 23 servers and\nsupport systems in the management portion of the network, the majority of which\nwere in third-party applications. Third-party applications, such as Adobe Reader\nor Oracle Java, are programs not developed by Microsoft, the Academy\xe2\x80\x99s\noperating system vendor, and are often more difficult to patch since each vendor\nimplements its own update system. As operating systems have become more\nsecure, exploitation of such vulnerabilities in applications has become the primary\nmeans for attacks against the systems. USMMA\xe2\x80\x99s patch deployment system is not\nconfigured to monitor and update all of its third party software.\n\nDOT Order 1351.37, Cybersecurity Policy (June 14, 2011) requires each\ncomponent\xe2\x80\x99s Information System Security Officer (ISSO) to ensure that\ncybersecurity notices and advisories are distributed to appropriate personnel, and\nthat vendor-issued security patches are expeditiously installed. USMMA did not\nhave a standardized patch management policy or procedures, or a working\nvulnerability assessment capability. Because it does not patch high-severity\nvulnerabilities, USMMA\xe2\x80\x99s systems remain at risk for compromise.\n\nThe Academy\xe2\x80\x99s Security Management Tools Are Ineffective\n\nUSMMA has invested a large amount of funds to acquire automated tools to assist\nits administrators with secure system management and to provide Academy\nmanagement the data necessary to determine the operating status and weaknesses\nof information systems. However, the following three tools were not effective\nbecause they were not configured to properly identify weaknesses:\n\n       \xef\x82\xb7 A vulnerability assessment tool used to identify missing patches and\n         misconfigurations;\n       \xef\x82\xb7 A compliance monitoring tool used to verify that systems meet OMB and\n         NIST12 mandated security levels; and\n11\n     A set of programs that manages computer hardware resources and provides common services to other programs.\n12\n     OMB M-07-11, Implementation of Commonly Accepted Security Configurations for Windows Operating Systems,\n     March 22, 2007; NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems\n     and Organizations, August 2009.\n\x0c                                                                                   7\n\n\n   \xef\x82\xb7 A configuration management tool used to install software updates and\n     enforce secure configuration settings.\n\nUSMMA did not properly configure its systems to allow remote management by\nthe vulnerability assessment and compliance monitoring tools, resulting in\nincomplete information on the network\xe2\x80\x99s security status. Furthermore, USMMA\nset up the configuration management tool to apply patches to some but not all of\nits systems and applications. These vulnerabilities existed because the Academy\xe2\x80\x99s\nIT contractors did not have sufficient knowledge to successfully configure the\ntools, were not trained in the tools\xe2\x80\x99 use, and did not perform routine reviews of the\ntools\xe2\x80\x99 reports. Consequently, the Academy\xe2\x80\x99s ISSO was not aware that the tools\nwere not working properly, and did not notice that the reports indicated that the\nvulnerability assessment and compliance monitoring tools could not access the\nsystems to perform their functions. Finally, because the vulnerability assessment\ntool was providing incomplete results, the ISSO did not detect missing patches.\n\nDOT Order 1351.37 requires security managers to validate their components\xe2\x80\x99\ninformation system security reporting, and ensure that security tools are used to\ntheir fullest capacity. USMMA\xe2\x80\x99s ISSO had not received sufficient training on the\nuse or implementation of those tools. The CIO stated that the tools were new at the\ntime of our visit and had not yet been fully implemented. Since USMMA\xe2\x80\x99s did not\nconfigure its security management tools to fully assess the network, management\ndid not have an accurate representation of the system\xe2\x80\x99s risk, and vulnerabilities\nremained unpatched.\n\nThe Academy\xe2\x80\x99s Account Management Practices Are Ineffective\n\nThe practices that the USMMA\xe2\x80\x99s system owners use to manage the Academy\xe2\x80\x99s\nuser and system accounts do not ensure the accounts\xe2\x80\x99 security. We reviewed a list\nof 20 accounts and found 16 active service accounts\xe2\x80\x94used to run various software\nwith domain administrator rights. These rights grant full control to a Windows\nnetwork and allow anyone that gains access to these programs to execute\nprivileged commands. Furthermore, the domain administrator account, which we\ncreated during our external exploitation of USMMA\xe2\x80\x99s Web server, was\ndeactivated, but had not been removed\xe2\x80\x94a fact that shows that USMMA does not\nactively manage its privileged accounts.\n\nUSMMA also did not properly manage the accounts on its student information\ndatabase. The database administrator provided us a list of 48 current users that\nneeded access to the student record system. We compared this list to a system-\ngenerated report of the active accounts, and identified 261 active users. This\ndiscrepancy also indicates that the Academy did not actively manage user\naccounts to remove accounts that were no longer in use. Inactive accounts often\nhave weak passwords and do not alert users when they are locked out, making\n\x0c                                                                                                                     8\n\n\nthem ideal targets for password guessing that leads to unauthorized access to\nsystems. We also reviewed users who had access to social security numbers stored\nin the database. The Academy\xe2\x80\x99s CIO identified two users who should not have had\naccess rights to social security numbers, but informed us that the rights had not\nbeen removed due to the users\xe2\x80\x99 resistance. USMMA also did not perform account\nreviews to determine whether all accounts had appropriate access rights based on\nusers\xe2\x80\x99 duties.\n\nNIST SP 800-53 requires that agencies use automated methods for account\nmanagement and systems to audit account creation, modification, disabling, and\ntermination. Furthermore, SP 800-53 requires that system account users have only\nthe minimum access privileges they need to perform their duties. Weaknesses in\nthe Academy\xe2\x80\x99s student record system account management allow inappropriate\nand excessive access to sensitive student data.\n\nMany tools are available to assist with ongoing account management and review,\nbut USMMA had not implemented an automated method. The Academy's CIO\nstated the Academy did not have the resources to review them manually or acquire\na tool to do so. Consequently, accounts were removed and disabled only\nintermittently, and a large number of unnecessary accounts remained on the\nsystem.\n\nThe Academy\xe2\x80\x99s Security Settings Do Not Meet Baselines\n\nUSMMA has not implemented secure baselines for its systems. Baselines are\nknown secure configuration settings that NIST, industry organizations, and system\nvendors publish, and are required by DOT Order 1351.37 and NIST SP 800-53\nRev. 3.13 The Academy\xe2\x80\x99s network and database administrators informed us that\nthey do not apply known secure baseline configuration settings for the systems\xe2\x80\x94\ninformation that we confirmed with the results of our vulnerability scans. We\nrandomly tested 8,547 out of 125,895 baseline controls14 and found 3,315 controls\nrequired by the Government's common baselines were not present. Based on this,\nwe estimate that 48, 829 controls or 38.8 percent of the 125,895 required controls\nwere not present.15 Even if baselines had been applied, midshipmen and some\nAcademy personnel had administrative rights to the system, meaning they could\nmodify settings on their laptops and install software. We found known viruses and\nother unapproved programs running on both midshipmen and staff\xe2\x80\x99s systems.\nUSMMA\xe2\x80\x99s CIO informed us that midshipmen are allowed to install software on\ntheir laptops when they are not connected to the network because they own the\n\n13\n   The Office of Management and Budget requires departments to apply the Federal Desktop Core Configuration on\n   Windows XP systems and the US Government Configuration Baseline on Windows 7 systems.\n14\n   Our original universe was 231,231 controls, but at the time of our testing, only 125,895 controls were available due\n   to the fact that some computers were not active at the time of the test.\n15\n   Our estimate has a margin of error of +/- 0.1 percentage points at the 90 percent level of confidence.\n\x0c                                                                                  9\n\n\nlaptops and spend a considerable amount of time away from campus. However,\nDOT\xe2\x80\x99s policy prohibits connection of personally owned equipment to the\nDepartment\xe2\x80\x99s information systems. The lack of secure configuration baselines\nprevents assurance that systems operate in a known secure state.\n\nFurthermore, USMMA does not maintain an accurate inventory of its network\ndevices, which is necessary to know what security settings are needed to secure a\nsystem. DOT Order 1351.37 requires System Owners to develop, document, and\nmaintain inventories of information system components that accurately reflect the\ncontent of their systems. The Academy also did not have a single inventory\ndocument. It provided various documents that contained inventory information,\nbut not a complete and accurate inventory of the entire network. For example, a\nsystem inventory produced by Active Directory\xe2\x80\x94a Microsoft technology for\nmanaging computers, users, and other resources in a Windows-based network\xe2\x80\x94\ncontained hundreds of systems no longer present on the network. The lack of an\naccurate inventory of network devices means that the Academy cannot be sure that\nsecure configurations are applied to all its devices.\n\nUSMMA Did Not Use a Trusted Internet Connection\n\nUSMMA was not using a Department-approved TIC to access the Internet. The\nAcademy currently gains internet access through a local provider rather than\nthrough one of the three DOT-approved TICs. Approved TIC providers have been\ncertified as providers of the required level of security and monitoring in\ncompliance with OMB\xe2\x80\x99s requirements. DOT\xe2\x80\x99s Cybersecurity Compendium\nrequires that components convert to use of approved TICs by February 29, 2012 in\norder to comply with an OMB and Department of Homeland Security mandate to\nlimit and monitor internet connections to Government systems. USMMA informed\nus that it had not yet been able to procure an approved TIC with sufficient\nbandwidth to replace its current connection. Because the Academy does not use a\nTIC, it will be unable to meet the program goals of securing federal agencies\xe2\x80\x99\nexternal network connections, including Internet connections, and improving the\ngovernment\xe2\x80\x99s incident response capability.\n\nManagement Roles and Participation in Security Were Inadequately\nDefined\n\nUSMMA\xe2\x80\x99s System Security Plan (SSP) for the LAN was incomplete. An SSP\noutlines roles and responsibilities for a system\xe2\x80\x99s protection and contains a listing\nof the system\xe2\x80\x99s security controls. The SSP for the Academy\xe2\x80\x99s LAN, prepared by\nan independent vendor who assessed the system in December 2009, did not\nidentify the System Owner or Information System Security Manager\xe2\x80\x94the official\nresponsible for ensuring a system is operating securely. It also did not assign\nspecific responsibilities for information security to the Academy\xe2\x80\x99s authorizing\n\x0c                                                                                                                       10\n\n\nofficial\xe2\x80\x94the senior manager that accepts responsibility for the information\nsystem\xe2\x80\x99s operation\xe2\x80\x94or ISSO. Furthermore, the SSP did not correctly identify the\nAcademy\xe2\x80\x99s authorizing official or ISSO.\n\nThe ISSO, who is a contractor, had primary responsibility for information security\noperations, but did not ensure that security functioned as intended. The ISSO\nsubmitted incomplete or inaccurate reports on system vulnerabilities, did not\ndeploy system baselines, did not ensure that proper backup procedures existed,\nand did not perform incident detection. The ISSO also had not received sufficient\ntraining on the security tools to use them effectively. Furthermore, management\ndid not perform sufficient oversight of the contractor to ensure that controls\noperated effectively, that security tools were implemented correctly, that\ncontractor system access privileges were managed, and that contractors with\nsecurity responsibilities received specialized training.\n\nFinally, management did not enforce the network use policy for its midshipmen.\nThe policy met requirements, but had not been officially released or implemented.\nThe midshipmen were not required to acknowledge the policy and were not held\naccountable for policy violations. For instance, the CIO provided the\nCommandant\xe2\x80\x99s office, responsible for student discipline, with names of\nmidshipmen who accessed adult Websites16 over the network, but no disciplinary\nactions were taken.\n\nDOT\xe2\x80\x99s Order 1351.37 requires all components to specify functions for System\nOwners, Information System Security Managers, ISSOs, and authorizing officials\nfor properly implementing their security programs. Furthermore, the Federal\nAcquisition Regulations require that services contracts for operations and security\ninclude specific goals and metrics for acceptable contractor performance, and that\nagencies oversee contractors\xe2\x80\x99 performance. NIST requires that agencies develop\nand enforce rules of behavior that dictate what users can and cannot do on a\nnetwork. USMMA\xe2\x80\x99s contract lacked goals and metrics, and USMMA\xe2\x80\x99s statement\nof work did not include sufficient detail for the scope of the services being\nprocured. Consequently, management was unable to hold the contractor to specific\nperformance metrics. Furthermore, USMMA\xe2\x80\x99s CIO stated that because the\ncontractors were not familiar with FISMA\xe2\x80\x99s information security requirements,\nthey did not comply with the requirements. Consequently, critical security\nweaknesses across the network were not identified for remediation, activities that\nthreaten information security were not monitored, and USMMA\xe2\x80\x99s systems and\ndata were at high risk for compromise.\n\n\n\n16\n     Websites that contain sexually explicit audio, text or images (of partial or full nudity) that in general could not be\n     considered poetic or artistic.\n\x0c                                                                              11\n\n\nCONCLUSION\n\nPII is a valuable commodity for hackers. The theft of PII can be costly and\ndetrimental to victims and the organizations entrusted with it. USMMA has\ninvested in expensive security tools. However, because the Academy lacks robust\npolicies and technical expertise to make them effective and protect its systems,\nserious security vulnerabilities exist throughout the Academy\xe2\x80\x99s network. These\nvulnerabilities are exacerbated by the Academy\xe2\x80\x99s ineffective security oversight.\nConsequently, USMMA\xe2\x80\x99s systems remain exposed to unauthorized access which\ncan contribute to the loss of staff and midshipmen\xe2\x80\x99s PII and the theft of their\nidentities, as well as compromise the integrity and availability of the LAN,\nWebsites and databases.\n\nRECOMMENDATIONS\n\nWe recommend that the MARAD Administrator:\n\n   1. Establish policies and procedures for account management, configuration\n      management, incident response continuous monitoring, and security\n      training including appropriate metrics for measuring effectiveness.\n\n   2. Select and implement approved baseline configurations for all USMMA\n      operating systems, applications, and web servers, document baseline\n      deviations for risk acceptance, and submit to DOT OCIO for review and\n      approval.\n\n   3. Review accounts for all USMMA systems and applications to determine if\n      they are necessary, have appropriate access rights, and meet DOT access\n      control requirements. Remove, disable, or modify all accounts not currently\n      in compliance with DOT requirements.\n\n   4. Ensure all service accounts have the least privilege necessary to perform\n      their functions.\n\n   5. Fully implement continuous monitoring tools, review and validate results,\n      and apply patches or take corrective actions to mitigate vulnerabilities.\n\n   6. Enforce acceptable use policies for all users including appropriate\n      corrective actions for non-compliance.\n\n   7. Migrate external Internet connection to a DOT approved TIC.\n\x0c                                                                              12\n\n\n   8. Specify security responsibilities for System Owners, Information System\n      Security Managers, ISSOs, and authorizing officials.\n\n   9. Ensure management provides contract oversight in accordance with DOT\n      policies and procedures.\n\n\nAGENCY COMMENTS AND OIG RESPONSE\nWe provided MARAD\xe2\x80\x99s Administrator with a draft of this report on March 27,\n2012, and received its written response on May 1, 2012, which is included in its\nentirety as an appendix to this report. In its response, MARAD concurred with all\nof our recommendations and detailed planned and completed actions to address\nthese recommendations.\n\nACTIONS REQUIRED\nWe consider MARAD\xe2\x80\x99s planned and reported actions and target dates responsive\nto all our recommendations and consider them resolved but open pending\ncompletion and documentation of activities. We appreciate the courtesies and\ncooperation of MARAD\xe2\x80\x99s representatives during this audit. If you have any\nquestions concerning this report, please call me at (202) 366-1407.\n\n\ncc: Marilyn Hetsel, Interim Director of Information Technology, USMMA\n    Bonnie McLendon, MAR-392\n    Martin Gertel, M-1\n\x0c                                                                               13\n\n\nEXHIBIT A. Scope and Methodology\n\nWe performed our network security assessment between February 2011 and\nMarch 2012, and conducted our work at MARAD\xe2\x80\x99s Headquarters in Washington,\nD.C. as well as USMMA\xe2\x80\x99s facility in King\xe2\x80\x99s Point, New York. We conducted our\naudit in accordance with generally accepted Government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nTo address our audit objectives, we used the guidance provided in NIST SP 800-\n115 Technical Guide to Information Security Testing and Assessment (September\n2008) to perform a penetration test and vulnerability assessment of USMMA\xe2\x80\x99s\nLAN and Website using widely available tools and techniques. We interviewed\nUSMMA\xe2\x80\x99s CIO, information technology contractors, and senior leadership to\ndetermine what information and resources were critical to USMMA\xe2\x80\x99s operation\nand how protections were implemented. We reviewed and analyzed documents,\npolicies, and procedures related to USMMA\xe2\x80\x99s network infrastructure and Website.\n\nFinally, we used a statistical sample of 68 of 1,001 computers from USMMA\xe2\x80\x99s\nsystem inventory to evaluate compliance with required configuration baselines.\nFor the 37 of the 68 that were available at the time of testing, we used a NIST\nvalidated configuration assessment tool to compare each computer's operating\nsystem settings to the appropriate baseline configuration. We tested 231 controls\non each of the 37 computers for a total of 8,547 controls. This statistical sample\nallowed us to project missing controls with a 90 percent confidence level and a\nmargin of error of 0.1 percentage points for the computers that were available.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                             14\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\nName                               Title\n\nLouis C. King                      Former Program Director\n\nGerald Steere                      Project Manager\n\nFelicia Moore                      Information Technology\n                                   Specialist\n\nSusan Neill                        Writer-Editor\nMegha Joshipura                    Statistician\n\n\n\n\nExhibit B. Major Contributors to this Report\n\x0c                            15\n\n\nAPPENDIX. AGENCY COMMENTS\n\n\n\n\nAppendix. Agency Comments\n\x0c                            16\n\n\n\n\nAppendix. Agency Comments\n\x0c                            17\n\n\n\n\nAppendix. Agency Comments\n\x0c                            18\n\n\n\n\nAppendix. Agency Comments\n\x0c                            19\n\n\n\n\nAppendix. Agency Comments\n\x0c"